Revert "firewall: always allow outgoing DNS traffic to root servers"

author Arne Fitzenreiter <arne_f@ipfire.org>

Fri, 18 Oct 2019 14:13:49 +0000 (16:13 +0200)

committer Arne Fitzenreiter <arne_f@ipfire.org>

Fri, 18 Oct 2019 14:13:49 +0000 (16:13 +0200)
author Arne Fitzenreiter <arne_f@ipfire.org>
Fri, 18 Oct 2019 14:13:49 +0000 (16:13 +0200)
committer Arne Fitzenreiter <arne_f@ipfire.org>
Fri, 18 Oct 2019 14:13:49 +0000 (16:13 +0200)
diff --git a/config/rootfiles/core/137/filelists/files b/config/rootfiles/core/137/filelists/files

index 33f86862f5a739f2ab613da7ffb6802947f157a7..3b7c8d23b36215662b8ffcb4b231098f7d9941fe 100644 (file)
--- a/config/rootfiles/core/137/filelists/files
+++ b/config/rootfiles/core/137/filelists/files
@@ -1,6 +1,8 @@
  etc/system-release
  etc/issue
  srv/web/ipfire/cgi-bin/credits.cgi
+usr/lib/firewall/rules.pl
+usr/sbin/firewall-policy
  var/ipfire/langs
  etc/logrotate.conf
  etc/rc.d/init.d/firewall
@@ -17,3 +19,4 @@ usr/local/bin/xt_geoip_update
  var/ipfire/backup/bin/backup.pl
  var/ipfire/qos/bin/makeqosscripts.pl
  var/ipfire/suricata/ruleset-sources
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall

index 602bd6c5b4ae8df8a68350fe6c1e79955db0189e..ec396c708c8e6b03396b0033ce2649fb61dec09b 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -6,7 +6,6 @@
  eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
  eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
  eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
-ROOTHINTS="/etc/unbound/root.hints"
  IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'`
  
  if [ -f /var/ipfire/red/device ]; then
@@ -308,17 +307,6 @@ iptables_init() {
         iptables -A INPUT -j TOR_INPUT
         iptables -N TOR_OUTPUT
         iptables -A OUTPUT -j TOR_OUTPUT
-
-       # Allow outgoing DNS traffic (TCP and UDP) to DNS root servers
-       local rootserverips="$( awk '/\s+A\s+/ { print $4 }' ${ROOTHINTS} )"
-       ipset -N root-servers iphash
-
-       for ip in "${rootserverips[@]}"; do
-               ipset add root-servers $ip
-       done
-
-       iptables -A OUTPUT -m set --match-set root-servers dst -p tcp --dport 53 -j ACCEPT
-       iptables -A OUTPUT -m set --match-set root-servers dst -p udp --dport 53 -j ACCEPT
         
         # Jump into the actual firewall ruleset.
         iptables -N INPUTFW
author	Arne Fitzenreiter <arne_f@ipfire.org>
	Fri, 18 Oct 2019 14:13:49 +0000 (16:13 +0200)
committer	Arne Fitzenreiter <arne_f@ipfire.org>
	Fri, 18 Oct 2019 14:13:49 +0000 (16:13 +0200)
config/rootfiles/core/137/filelists/files		patch \| blob \| blame \| history
src/initscripts/system/firewall		patch \| blob \| blame \| history